Blacksight Scout: Wireless Recon Without the Laptop Bag

The Blacksight Scout is a compact wireless reconnaissance device built for the work that happens before you ever deploy a Phantom. It enumerates WiFi networks, discovers Bluetooth and BLE devices, captures probe requests from client devices, and tracks wireless clients over time -- all from a form factor small enough to fit in a jacket pocket. Plug it into power, walk away, and watch the data stream into your dashboard.

What Does the Scout Actually Do?

At its core, the Scout is a passive wireless sensor. It operates in monitor mode across the 2.4 GHz and 5 GHz WiFi bands and performs continuous Bluetooth/BLE scanning. It does not transmit on WiFi (no deauths, no rogue APs, no active probing). Everything it collects comes from frames and advertisements that devices are already broadcasting. This is the tool you use when you need to understand the wireless landscape without leaving any RF fingerprint of your own.

WiFi Enumeration

The Scout captures beacon frames and probe responses from every access point in range, building a comprehensive picture of the target's wireless infrastructure: SSIDs (including hidden networks detected via probe responses), BSSID-to-channel mapping, encryption types (Open, WEP, WPA2-PSK, WPA2-Enterprise, WPA3-SAE), signal strength over time, and vendor OUIs. It hops across all channels on both bands in a configurable rotation pattern, so you get full coverage rather than a static snapshot of one channel.

Client Tracking and Probe Requests

Probe requests are gold for pre-engagement reconnaissance. When a device has WiFi enabled and is not connected to a network, it broadcasts probe requests for networks it has previously joined. The Scout captures every probe request in range and correlates them by source MAC address. This tells you what networks the target's employees have connected to before -- home networks, hotel WiFi, airport networks, and most importantly, the target organization's own SSIDs.

Modern devices use MAC address randomization to limit tracking, but the implementation is inconsistent. Many devices still send directed probe requests with their real MAC address for preferred networks. The Scout detects and flags cases where a randomized MAC is associated with a directed probe, which often reveals the true device identity. It also tracks signal strength over time, so you can correlate when specific devices arrive at and leave the target location -- useful for understanding shift patterns and building a picture of who is in the building when.

Bluetooth and BLE Discovery

The Scout's Bluetooth radio continuously scans for Classic Bluetooth discoverable devices and BLE advertisements. It logs device names, MAC addresses, device classes, service UUIDs, and advertisement data. For BLE, it decodes common GATT profiles -- so you can see not just that there are BLE devices in the area, but whether they are smart locks, badge readers, fitness trackers, wireless keyboards, or medical devices. This inventory is critical for planning Fang mode attacks on a subsequent Phantom deployment.

What Hardware Does the Scout Use?

The Scout is built on an Intel N100 (or N150, depending on configuration) processor in a stick form factor -- roughly the size of a large USB flash drive, but thicker. It has an internal WiFi 6 radio with a modified firmware that supports full monitor mode and channel hopping, a Bluetooth 5.2 radio, 4 GB of RAM, and 64 GB of eMMC storage. Power draw is under 10 watts, so it runs off any USB-C power source: a wall outlet, a battery pack, or a powered USB hub.

For connectivity back to the dashboard, the Scout uses an external USB 4G dongle rather than an internal modem. This keeps the form factor small and lets you choose your own carrier and SIM. The dongle plugs into the Scout's USB-A port and is auto-configured on boot. If no 4G dongle is present, the Scout stores everything locally and syncs when connectivity is restored.

How Should You Deploy the Scout?

Pre-Engagement Recon

The most common use case. Before you ever set foot inside the target facility, you deploy one or more Scouts in the vicinity -- a parking lot, a shared lobby, the coffee shop next door. Over a few days, the Scouts build a complete wireless map: every SSID, every access point, every client device that comes and goes, every Bluetooth peripheral. By the time you plan the physical engagement, you already know the network architecture, the device inventory, and the foot traffic patterns. You know which SSIDs are WPA2-Enterprise (and thus worth targeting with Siren mode) and which are WPA2-PSK (and thus worth cracking offline).

Parking Lot Drops

A Scout plugged into a USB battery pack and left in a vehicle can run for 8 to 12 hours depending on the battery capacity. Park in the target's lot, leave the Scout running, and come back at the end of the day. You get a full day's worth of WiFi and Bluetooth data without ever entering the building. The 4G uplink means you do not have to retrieve the device to get the data -- it streams to your dashboard in real time.

Continuous Monitoring

For longer engagements, Scouts can be deployed semi-permanently. Plug one into a wall outlet in a shared space (a conference room, a break room, a restroom with an outlet) and it will run indefinitely. Over days or weeks, it builds a comprehensive baseline of wireless activity: when networks go up and down, when new devices appear, when employees arrive and leave. This baseline is invaluable for timing Phantom attacks to coincide with peak activity (for credential harvesting) or minimum activity (for physical access).

How Does Scout Intelligence Feed Into Phantom Deployments?

The Scout and Phantom share a dashboard, and the data flows directly between them. When you deploy a Phantom after a Scout recon phase, the Phantom inherits the Scout's network map. This means Siren mode already knows which SSIDs to clone and which clients to target. Fang mode already has the BLE device inventory. Venom mode knows the network topology from the Scout's observed traffic patterns. Instead of the Phantom spending its first hours in Scope mode building a map from scratch, it starts with intelligence already in hand.

In team engagements, you can deploy multiple Scouts at different locations around the target -- north side of the building, south parking lot, lobby -- and their data merges into a single unified view in the dashboard. You see signal strength from multiple vantage points, which lets you triangulate the physical location of access points and high-value wireless devices.

Data Export and Dashboard

Everything the Scout captures is available in the Blacksight dashboard in real time. The dashboard presents a sortable, filterable table of discovered networks, clients, and Bluetooth devices, plus a timeline view showing when each was first and last seen. You can export raw data as CSV or JSON for ingestion into your own tooling, or download filtered PCAP files for offline analysis in Wireshark.

The Scout's data is encrypted in transit using the same zero-knowledge relay as the Phantom. Your reconnaissance data never passes through our infrastructure in plaintext. If you are operating in an environment where even the existence of a 4G uplink is a concern, the Scout can operate entirely offline -- it stores everything on its local encrypted storage, and you export the data over a direct Ethernet connection when you physically retrieve the device.

The Scout ships at $499 and includes the same dashboard access and relay as the Phantom. There are no subscriptions, no per-device fees, and no data caps. Deploy as many as you need for as long as you need.